TRENDING

Could a cyber ecosystem automatically defend government networks?

By William Jackson

Nov 07, 2012

This is the first a three-part series on building a government cybersecurity ecosystem.

Since its inception, the Internet has grown wild, which has spurred innovation, activity and information sharing, but has left security and standards unattended. The result is an online environment where outlaws can roam free.

In this series

Could a cyber ecosystem defend itself?

A multiagency group hopes to create a cyber ecosystem that could learn to automatically assess and respond to threats. Where would humans fit in the loop? Read more.

How to build an immune system for cybersecurity

Government researchers are using the human immune system as a model for building a cybersecurity ecosystem, whose features would include automation, interoperability and authentication technologies. Read more.

Agencies outline future cyber ecosystems

Plans to develop an automated system for defending agencies from cyber attacks could look to existing agency projects, including the Energy Department’s Smart Grid and FAA’s Next Generation Air Transportation System, as models for self healing networks. Read more.

Now a multiagency effort wants to impose a little order with a structured cyber “ecosystem” that could automatically assess and respond to threats, learn from previous incidents and even heal itself.

Through a recent request for information issued in September, the Homeland Security Department and the National Institute of Standards and Technology are examining the current state of technology and the advances needed to create what they call a healthy and resilient system capable of using a defensive concept called Automated Collective Action. The goal is a broad-based, multi-agency or even global system that could, through machine learning and automated information sharing, detect, mitigate and respond to threats while maintaining mission-critical operations.

“We need automation because we are being attacked in an automated fashion and we need to respond in an automated fashion,” said a DHS official.

In addition to determining how — and if — technology can provide the interoperability, automation and authentication necessary to create this capability, one of the key questions being considered is where humans would fit into the decision loop. With attacks occurring and evolving at the speed of IT, human response times no longer are adequate to counter many threats, even with a trained workforce available to do the analysis and make decisions.

But false positives and unintended consequences are facts of IT systems, and some observers are concerned that turning over too much authority to the machines could do more harm than good. So the effort is moving ahead at a deliberate pace. “We want to make sure we have as much input as possible,” the DHS official said.

The goal of Automated Collective Action is defined in the RFI as processes within the system or community of interest that pick automated courses of action to be carried out by the ecosystem in response to cybersecurity threats.

“Policies, procedures, technology and a high level of trust are necessary to enable automated collective action,” according to the DHS/NIST document. “An appropriate level of human intervention might be required to ensure unintended consequences do not result from flawed courses of action. Determining which cybersecurity events are normal and which are unauthorized or malicious remains a major challenge.”

Like environmentalists, who are encouraged to think globally and act locally, a secure cyber ecosystem would combine local response with global awareness. The concept is not entirely new, and pieces of it already are being developed in the form of standards and best practices, such as the Security Content Automation Protocol (SCAP) developed by NIST for use by agencies in assessing, monitoring and reporting on system security status.

But moving from these isolated parts to an integrated, autonomous ecosystem that crosses enterprise boundaries remains a challenging task, the RFI acknowledges. “Implementing automated collective action in defense of the cyber ecosystem will require a partnership and a common collective vision among the private sector, academia, government and consumers.”

Much of the impetus for a secure cyber ecosystem is to correct the shortcomings of a networked environment that was not developed with security in mind, said Michael A. Brown, a former fed and now manager of federal business for RSA, the security division of EMC.

“It’s an attempt to create a more secure, operational relevant ecosystem,” said Brown, a retired rear admiral who recently was director of cybersecurity. “It’s difficult because the government didn’t require certain things when the private sector developed these abilities,” such as interoperability, automation and trustworthy authentication of both people and devices.

The RFI, which Brown helped to write, is an effort he said to determine “what the art of the possible is right now to accomplish this.”

inside gcn

Reader Comments

Thu, Nov 8, 2012
John
MN

local response with global awareness would be to say that in the decision cycle, the role of the person would be to make sure the automated collective action would turn on when it senses a gap to monitor, but not engage, until given the proper order or partnership.

Thu, Nov 8, 2012
Earth

“Implementing automated collective action in defense of the cyber ecosystem will require a partnership and a common collective vision among the private sector, academia, government and consumers.”

“And consumers”, how exactly it that supposedly going to happen? I mean how do they intend to get informed cooperation, much less informed consent, from the consumers about a self modifying cyber system. That’s seems about as likely as Facebook users staying informed about Facebook’s constantly changing security settings, only in real time.

Just make sure everyone knows to answer “no” if it asks: “Do you want to play a game?”

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.